From 30be4647ad5326bdb77f02c0091411775c1e5fb9 Mon Sep 17 00:00:00 2001 From: Thomas Gazagnaire Date: Fri, 17 Mar 2017 17:39:57 +0100 Subject: [PATCH] Restructure the mirage/dhcp container into the new project structure Signed-off-by: Thomas Gazagnaire --- base/dhcp-client/ROADMAP.md | 22 -------- moby.yaml | 7 --- .../miragesdk/README.md | 29 ++++++++--- .../miragesdk}/dhcp-client/.gitignore | 0 .../miragesdk}/dhcp-client/Dockerfile.build | 0 .../miragesdk}/dhcp-client/Dockerfile.dev | 0 .../miragesdk}/dhcp-client/Dockerfile.pkg | 0 .../miragesdk}/dhcp-client/Makefile | 0 .../miragesdk}/dhcp-client/README.md | 0 .../miragesdk}/dhcp-client/calf/.merlin | 0 .../miragesdk}/dhcp-client/calf/config.ml | 0 .../miragesdk}/dhcp-client/calf/unikernel.ml | 0 .../miragesdk}/dhcp-client/init-dev.sh | 0 .../miragesdk}/dhcp-client/src/.merlin | 0 .../miragesdk}/dhcp-client/src/_tags | 0 .../miragesdk}/dhcp-client/src/inflator.ml | 0 .../miragesdk}/dhcp-client/src/io_fs.ml | 0 .../miragesdk}/dhcp-client/src/main.ml | 0 projects/miragesdk/examples/mirage-dhcp.yaml | 50 +++++++++++++++++++ .../miragesdk}/mirage-compile/.gitignore | 0 .../miragesdk}/mirage-compile/Dockerfile | 0 .../miragesdk}/mirage-compile/Makefile | 0 .../miragesdk}/mirage-compile/compile.sh | 0 23 files changed, 73 insertions(+), 35 deletions(-) delete mode 100644 base/dhcp-client/ROADMAP.md rename docs/unikernels.md => projects/miragesdk/README.md (84%) rename {base => projects/miragesdk}/dhcp-client/.gitignore (100%) rename {base => projects/miragesdk}/dhcp-client/Dockerfile.build (100%) rename {base => projects/miragesdk}/dhcp-client/Dockerfile.dev (100%) rename {base => projects/miragesdk}/dhcp-client/Dockerfile.pkg (100%) rename {base => projects/miragesdk}/dhcp-client/Makefile (100%) rename {base => projects/miragesdk}/dhcp-client/README.md (100%) rename {base => projects/miragesdk}/dhcp-client/calf/.merlin (100%) rename {base => projects/miragesdk}/dhcp-client/calf/config.ml (100%) rename {base => projects/miragesdk}/dhcp-client/calf/unikernel.ml (100%) rename {base => projects/miragesdk}/dhcp-client/init-dev.sh (100%) rename {base => projects/miragesdk}/dhcp-client/src/.merlin (100%) rename {base => projects/miragesdk}/dhcp-client/src/_tags (100%) rename {base => projects/miragesdk}/dhcp-client/src/inflator.ml (100%) rename {base => projects/miragesdk}/dhcp-client/src/io_fs.ml (100%) rename {base => projects/miragesdk}/dhcp-client/src/main.ml (100%) create mode 100644 projects/miragesdk/examples/mirage-dhcp.yaml rename {tools => projects/miragesdk}/mirage-compile/.gitignore (100%) rename {tools => projects/miragesdk}/mirage-compile/Dockerfile (100%) rename {tools => projects/miragesdk}/mirage-compile/Makefile (100%) rename {tools => projects/miragesdk}/mirage-compile/compile.sh (100%) diff --git a/base/dhcp-client/ROADMAP.md b/base/dhcp-client/ROADMAP.md deleted file mode 100644 index fd0e1ba1f..000000000 --- a/base/dhcp-client/ROADMAP.md +++ /dev/null @@ -1,22 +0,0 @@ -## Roadmap - -Very basic roadmap, to be improved shortly. - -### Done - -- use 2 static binaries privileged + unikernel (calf) in the container, - connected via socketpairs and pipes. -- use eBPF to filter DHCP traffic -- redirect the calf's sterr/stdout to the priv container -- the priv exposes a simple HTTP interface to the calf, and read/write - are stored into a local Datakit/Git repo. -- use upstream MirageOS's charrua-core. - -### TODO - -- current: make the packets flow in both directions -- use runc to isolate the calf -- use seccomp to isolate the privileged container -- use the DHCP results to actually update the system -- add metrics aggregation (using prometheus) -- better logging aggregation (using syslog) diff --git a/moby.yaml b/moby.yaml index 1b1830323..971539382 100644 --- a/moby.yaml +++ b/moby.yaml @@ -17,13 +17,6 @@ system: - /proc/sys/fs/binfmt_misc:/binfmt_misc read_only: true command: [/usr/bin/binfmt, -dir, /etc/binfmt.d/, -mount, /binfmt_misc] - - name: dhcp-client - network_mode: host - image: "mobylinux/dhcp-client:dc3fd177a588ca9a850cfc75dd9083fb26d278dc" - capabilities: - - CAP_NET_RAW - command: [/dhcp-client] - read_only: true daemon: - name: rngd image: "mobylinux/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9@sha256:1c93c1db7196f6f71f8e300bc1d15f0376dd18e8891c8789d77c8ff19f3a9a92" diff --git a/docs/unikernels.md b/projects/miragesdk/README.md similarity index 84% rename from docs/unikernels.md rename to projects/miragesdk/README.md index bf51a5985..d027e3a33 100644 --- a/docs/unikernels.md +++ b/projects/miragesdk/README.md @@ -7,7 +7,7 @@ | privileged shim | | calf | |=================| |================| | | | | - eth0 ----> | eBPF rules | <--- network IO ---> | type-safe | +<-- eth0 ---> | eBPF rules | <--- network IO ---> | type-safe | | | (data path) | network stack | | | | | |-----------------| |----------------| @@ -86,7 +86,7 @@ share it with the calf on startup). - Has access to a Mirage_net.S interface for network traffic - Has access to a a simple KV interface -Internally, it might use something more typed than a KV store: +Internally, it uses something more typed than a KV store: ``` module Shim: sig @@ -114,8 +114,25 @@ What the SDK should enable: ### Roadmap -- first PoC -- ipv6 support -- gracefully handle expiration +#### first PoC: DHCP client + +Current status: one container containing two static binaries (priv + calf), +private pipes open between the process for stdout/stderr aggregation + +raw sockets (data path). Control path is using a simple HTTP server running +in the priv container. The calf is using the dev version of mirage/charrua-core, +and is able to get a DHCP lease on boot. + +##### TODO + +- use runc to isolate the calf +- eBPF filtering +- use seccomp to isolate the privileged container +- use the DHCP results to actually update the system +- add metrics aggregation (using prometheus) +- better logging aggregation (using syslog) +- IPv6 support - tests, tests, tests (especially against non compliant RFC servers) -- second iteration: NTP \ No newline at end of file + +### Second iteration: NTP + +TODO \ No newline at end of file diff --git a/base/dhcp-client/.gitignore b/projects/miragesdk/dhcp-client/.gitignore similarity index 100% rename from base/dhcp-client/.gitignore rename to projects/miragesdk/dhcp-client/.gitignore diff --git a/base/dhcp-client/Dockerfile.build b/projects/miragesdk/dhcp-client/Dockerfile.build similarity index 100% rename from base/dhcp-client/Dockerfile.build rename to projects/miragesdk/dhcp-client/Dockerfile.build diff --git a/base/dhcp-client/Dockerfile.dev b/projects/miragesdk/dhcp-client/Dockerfile.dev similarity index 100% rename from base/dhcp-client/Dockerfile.dev rename to projects/miragesdk/dhcp-client/Dockerfile.dev diff --git a/base/dhcp-client/Dockerfile.pkg b/projects/miragesdk/dhcp-client/Dockerfile.pkg similarity index 100% rename from base/dhcp-client/Dockerfile.pkg rename to projects/miragesdk/dhcp-client/Dockerfile.pkg diff --git a/base/dhcp-client/Makefile b/projects/miragesdk/dhcp-client/Makefile similarity index 100% rename from base/dhcp-client/Makefile rename to projects/miragesdk/dhcp-client/Makefile diff --git a/base/dhcp-client/README.md b/projects/miragesdk/dhcp-client/README.md similarity index 100% rename from base/dhcp-client/README.md rename to projects/miragesdk/dhcp-client/README.md diff --git a/base/dhcp-client/calf/.merlin b/projects/miragesdk/dhcp-client/calf/.merlin similarity index 100% rename from base/dhcp-client/calf/.merlin rename to projects/miragesdk/dhcp-client/calf/.merlin diff --git a/base/dhcp-client/calf/config.ml b/projects/miragesdk/dhcp-client/calf/config.ml similarity index 100% rename from base/dhcp-client/calf/config.ml rename to projects/miragesdk/dhcp-client/calf/config.ml diff --git a/base/dhcp-client/calf/unikernel.ml b/projects/miragesdk/dhcp-client/calf/unikernel.ml similarity index 100% rename from base/dhcp-client/calf/unikernel.ml rename to projects/miragesdk/dhcp-client/calf/unikernel.ml diff --git a/base/dhcp-client/init-dev.sh b/projects/miragesdk/dhcp-client/init-dev.sh similarity index 100% rename from base/dhcp-client/init-dev.sh rename to projects/miragesdk/dhcp-client/init-dev.sh diff --git a/base/dhcp-client/src/.merlin b/projects/miragesdk/dhcp-client/src/.merlin similarity index 100% rename from base/dhcp-client/src/.merlin rename to projects/miragesdk/dhcp-client/src/.merlin diff --git a/base/dhcp-client/src/_tags b/projects/miragesdk/dhcp-client/src/_tags similarity index 100% rename from base/dhcp-client/src/_tags rename to projects/miragesdk/dhcp-client/src/_tags diff --git a/base/dhcp-client/src/inflator.ml b/projects/miragesdk/dhcp-client/src/inflator.ml similarity index 100% rename from base/dhcp-client/src/inflator.ml rename to projects/miragesdk/dhcp-client/src/inflator.ml diff --git a/base/dhcp-client/src/io_fs.ml b/projects/miragesdk/dhcp-client/src/io_fs.ml similarity index 100% rename from base/dhcp-client/src/io_fs.ml rename to projects/miragesdk/dhcp-client/src/io_fs.ml diff --git a/base/dhcp-client/src/main.ml b/projects/miragesdk/dhcp-client/src/main.ml similarity index 100% rename from base/dhcp-client/src/main.ml rename to projects/miragesdk/dhcp-client/src/main.ml diff --git a/projects/miragesdk/examples/mirage-dhcp.yaml b/projects/miragesdk/examples/mirage-dhcp.yaml new file mode 100644 index 000000000..1b1830323 --- /dev/null +++ b/projects/miragesdk/examples/mirage-dhcp.yaml @@ -0,0 +1,50 @@ +kernel: + image: "mobylinux/kernel:4.9.x" + cmdline: "console=ttyS0 page_poison=1" +init: "mobylinux/init:d6d115d601e78f7909d4a2ff7eb4caa3fff65271" +system: + - name: sysctl + image: "mobylinux/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" + network_mode: host + pid: host + ipc: host + capabilities: + - CAP_SYS_ADMIN + read_only: true + - name: binfmt + image: "mobylinux/binfmt:bdb754f25a5d851b4f5f8d185a43dfcbb3c22d01" + binds: + - /proc/sys/fs/binfmt_misc:/binfmt_misc + read_only: true + command: [/usr/bin/binfmt, -dir, /etc/binfmt.d/, -mount, /binfmt_misc] + - name: dhcp-client + network_mode: host + image: "mobylinux/dhcp-client:dc3fd177a588ca9a850cfc75dd9083fb26d278dc" + capabilities: + - CAP_NET_RAW + command: [/dhcp-client] + read_only: true +daemon: + - name: rngd + image: "mobylinux/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9@sha256:1c93c1db7196f6f71f8e300bc1d15f0376dd18e8891c8789d77c8ff19f3a9a92" + capabilities: + - CAP_SYS_ADMIN + oom_score_adj: -800 + read_only: true + command: [/bin/tini, /usr/sbin/rngd, -f] + - name: nginx + image: "nginx:alpine" + capabilities: + - CAP_NET_BIND_SERVICE + - CAP_CHOWN + - CAP_SETUID + - CAP_SETGID + - CAP_DAC_OVERRIDE + network_mode: host +files: + - path: etc/docker/daemon.json + contents: '{"debug": true}' +outputs: + - format: kernel+initrd + - format: iso-bios + - format: iso-efi diff --git a/tools/mirage-compile/.gitignore b/projects/miragesdk/mirage-compile/.gitignore similarity index 100% rename from tools/mirage-compile/.gitignore rename to projects/miragesdk/mirage-compile/.gitignore diff --git a/tools/mirage-compile/Dockerfile b/projects/miragesdk/mirage-compile/Dockerfile similarity index 100% rename from tools/mirage-compile/Dockerfile rename to projects/miragesdk/mirage-compile/Dockerfile diff --git a/tools/mirage-compile/Makefile b/projects/miragesdk/mirage-compile/Makefile similarity index 100% rename from tools/mirage-compile/Makefile rename to projects/miragesdk/mirage-compile/Makefile diff --git a/tools/mirage-compile/compile.sh b/projects/miragesdk/mirage-compile/compile.sh similarity index 100% rename from tools/mirage-compile/compile.sh rename to projects/miragesdk/mirage-compile/compile.sh